dcrat | 5da69a712a8b80d139165692c4fa4c002370e609bb1b5a4a22e2abb55f7571ca

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

1.7MB
MD5

2b8c0e5a38a065f3dadb659cf1e71bc8
SHA1

314cc5b791911185d67c6bc558fe8e376f2b83f4
SHA256

5da69a712a8b80d139165692c4fa4c002370e609bb1b5a4a22e2abb55f7571ca
SHA512

fd20f911e02122f9d8b1b15688455799d66377be4dccfde6b7e6fb41748bc3342b889984697d96086c9ccd35c945f5089ed5ce3fb18e3808da61e261b09298d4
SSDEEP

24576:U2G/nvxW3Ww0tBm1k+lGhdCg0MWe0dZ1roO+Lftnln/DQhwdReG8+wnoSHIPlr:UbA30BGkPQgqdLYFsAReGUhol

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	408	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	408	schtasks.exe	95

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	surrogatebrowserRuntime.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	surrogatebrowserRuntime.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	surrogatebrowserRuntime.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000700000002342c-10.dat	dcrat
behavioral2/memory/1400-13-0x0000000000A10000-0x0000000000B86000-memory.dmp	dcrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	surrogatebrowserRuntime.exe

Executes dropped EXE 2 IoCs

pid	Process
1400	surrogatebrowserRuntime.exe
964	SearchApp.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	surrogatebrowserRuntime.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	surrogatebrowserRuntime.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office16\dwm.exe	surrogatebrowserRuntime.exe
File created	C:\Program Files\VideoLAN\surrogatebrowserRuntime.exe	surrogatebrowserRuntime.exe
File created	C:\Program Files (x86)\Windows NT\e1ef82546f0b02	surrogatebrowserRuntime.exe
File created	C:\Program Files\Microsoft Office\Office16\6cb0b6c459d5d3	surrogatebrowserRuntime.exe
File created	C:\Program Files\Common Files\Services\121e5b5079f7c0	surrogatebrowserRuntime.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\unsecapp.exe	surrogatebrowserRuntime.exe
File created	C:\Program Files\VideoLAN\68735a9352b4c3	surrogatebrowserRuntime.exe
File created	C:\Program Files (x86)\Windows NT\SppExtComObj.exe	surrogatebrowserRuntime.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RuntimeBroker.exe	surrogatebrowserRuntime.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\9e8d7a4ca61bd9	surrogatebrowserRuntime.exe
File created	C:\Program Files\Common Files\Services\sysmon.exe	surrogatebrowserRuntime.exe
File created	C:\Program Files\Windows Defender\de-DE\6cb0b6c459d5d3	surrogatebrowserRuntime.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RuntimeBroker.exe	surrogatebrowserRuntime.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\29c1c3cc0f7685	surrogatebrowserRuntime.exe
File created	C:\Program Files\Windows Defender\de-DE\dwm.exe	surrogatebrowserRuntime.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\servicing\uk-UA\SppExtComObj.exe	surrogatebrowserRuntime.exe
File created	C:\Windows\servicing\ja-JP\explorer.exe	surrogatebrowserRuntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1568	schtasks.exe
2896	schtasks.exe
4584	schtasks.exe
3620	schtasks.exe
5116	schtasks.exe
3804	schtasks.exe
1564	schtasks.exe
3568	schtasks.exe
2904	schtasks.exe
1908	schtasks.exe
1492	schtasks.exe
320	schtasks.exe
3712	schtasks.exe
2156	schtasks.exe
2188	schtasks.exe
772	schtasks.exe
4416	schtasks.exe
1820	schtasks.exe
1848	schtasks.exe
5024	schtasks.exe
4932	schtasks.exe
4912	schtasks.exe
2592	schtasks.exe
1572	schtasks.exe
3088	schtasks.exe
1688	schtasks.exe
980	schtasks.exe
2764	schtasks.exe
4724	schtasks.exe
4324	schtasks.exe
3724	schtasks.exe
4404	schtasks.exe
3360	schtasks.exe
5104	schtasks.exe
1392	schtasks.exe
2696	schtasks.exe
4244	schtasks.exe
4508	schtasks.exe
2804	schtasks.exe
4816	schtasks.exe
1628	schtasks.exe
2712	schtasks.exe
5100	schtasks.exe
2348	schtasks.exe
436	schtasks.exe
2324	schtasks.exe
2316	schtasks.exe
816	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	DCRatBuild.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1400	surrogatebrowserRuntime.exe
1400	surrogatebrowserRuntime.exe
1400	surrogatebrowserRuntime.exe
1400	surrogatebrowserRuntime.exe
1400	surrogatebrowserRuntime.exe
1400	surrogatebrowserRuntime.exe
1400	surrogatebrowserRuntime.exe
1400	surrogatebrowserRuntime.exe
1400	surrogatebrowserRuntime.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
964	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1400	surrogatebrowserRuntime.exe
Token: SeDebugPrivilege	964	SearchApp.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe
964	SearchApp.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1080	1964	DCRatBuild.exe	85
PID 1964 wrote to memory of 1080	1964	DCRatBuild.exe	85
PID 1964 wrote to memory of 1080	1964	DCRatBuild.exe	85
PID 1080 wrote to memory of 4408	1080	WScript.exe	96
PID 1080 wrote to memory of 4408	1080	WScript.exe	96
PID 1080 wrote to memory of 4408	1080	WScript.exe	96
PID 4408 wrote to memory of 1400	4408	cmd.exe	98
PID 4408 wrote to memory of 1400	4408	cmd.exe	98
PID 1400 wrote to memory of 964	1400	surrogatebrowserRuntime.exe	148
PID 1400 wrote to memory of 964	1400	surrogatebrowserRuntime.exe	148

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	surrogatebrowserRuntime.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	surrogatebrowserRuntime.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	surrogatebrowserRuntime.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\portSurrogateDhcp\yq8opXrx.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\portSurrogateDhcp\I8GW14sKhzW7q6q04x1rFcYIygVpL.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\portSurrogateDhcp\surrogatebrowserRuntime.exe
      "C:\portSurrogateDhcp\surrogatebrowserRuntime.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1400
    - - C:\Recovery\WindowsRE\SearchApp.exe
        
        "C:\Recovery\WindowsRE\SearchApp.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        System policy modification
        
        PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Music\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\portSurrogateDhcp\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\portSurrogateDhcp\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\portSurrogateDhcp\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogatebrowserRuntimes" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\surrogatebrowserRuntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogatebrowserRuntime" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\surrogatebrowserRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogatebrowserRuntimes" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\surrogatebrowserRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\portSurrogateDhcp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\portSurrogateDhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\portSurrogateDhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\portSurrogateDhcp\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\portSurrogateDhcp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\portSurrogateDhcp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\portSurrogateDhcp\I8GW14sKhzW7q6q04x1rFcYIygVpL.bat

Filesize
50B

MD5
ece322b75c5e4383a93614451a790b69

SHA1
64349dff64838975d5e8f43aca2fc58cdc2d23a4

SHA256
ea8a87c2f391ea31733f8940f08438c1c37fe24c48436b2b42172782cf0e80e7

SHA512
ecfda4c643834f5afce94eacb2913395ca16979b48934263c0a32f181eac03daea0b469cbefd8bc7808bdd40d3c0c6203251bf2b9afe503dd8d42194f4efbe03

Download Submit
C:\portSurrogateDhcp\surrogatebrowserRuntime.exe

Filesize
1.4MB

MD5
571ab5b678016f479ea48c5270bd6174

SHA1
9e92df1fe28497858acba7d0289ff9024a7384c1

SHA256
9eb21f43a0f1b4abd717d18aa802239ea37bb179af72136dcc892bd54f46547a

SHA512
e70d1d40cca84d4cb7aa991e0cbdde8ac21b02dd0a8291fcbbab3039d64998107ce581c8b5dc31d1144971775b89b5b5e1ebc686c95438f51c7bbc40ef4935c7

Download Submit
C:\portSurrogateDhcp\yq8opXrx.vbe

Filesize
223B

MD5
632ed12534a63933a54e87794bdcbde9

SHA1
767f1a7d754d9567d6ec9bfd0645c4f02e3bd34c

SHA256
7e28ef3bfe89e42a7ffffc01778d85b5d78f7838353b4e21a28652d619f2aadf

SHA512
720d93474abb4046ee46c230154341bec17d78bdd35d9dcaf550aff533edd492d76448eaf3959d456e310573d88eb0fd77d2895b6b8d716f07ae1ea9a3121f3a

Download Submit
memory/964-68-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/964-67-0x000000001AFA0000-0x000000001AFB2000-memory.dmp

Filesize
72KB

Download
memory/1400-18-0x0000000002CF0000-0x0000000002CFA000-memory.dmp

Filesize
40KB

Download
memory/1400-15-0x0000000002CB0000-0x0000000002CCC000-memory.dmp

Filesize
112KB

Download
memory/1400-16-0x000000001B810000-0x000000001B860000-memory.dmp

Filesize
320KB

Download
memory/1400-14-0x0000000002CA0000-0x0000000002CAE000-memory.dmp

Filesize
56KB

Download
memory/1400-19-0x0000000002D00000-0x0000000002D0C000-memory.dmp

Filesize
48KB

Download
memory/1400-17-0x0000000002CD0000-0x0000000002CE6000-memory.dmp

Filesize
88KB

Download
memory/1400-20-0x0000000002D10000-0x0000000002D22000-memory.dmp

Filesize
72KB

Download
memory/1400-21-0x000000001C500000-0x000000001CA28000-memory.dmp

Filesize
5.2MB

Download
memory/1400-23-0x000000001B890000-0x000000001B89E000-memory.dmp

Filesize
56KB

Download
memory/1400-22-0x000000001B880000-0x000000001B888000-memory.dmp

Filesize
32KB

Download
memory/1400-13-0x0000000000A10000-0x0000000000B86000-memory.dmp

Filesize
1.5MB

Download
memory/1400-12-0x00007FFAF2F23000-0x00007FFAF2F25000-memory.dmp

Filesize
8KB

Download